The vulnerability allowed hackers to inject code in vulnerable sites, which they later used to redirect incoming visitors to all sorts of nasties, such as tech support scams, sites peddling malware-laced software updates, or plain ol' spammy pages showing ads.

Some technical info - redirected to searchnotifyfriends dot info using a Wordpress plugin. Large traffic spike to domain, from Cisco Umbrella data: pic.twitter.com/nzsC5WQK0r

Mailgun was just one of random victim of these attacks, but not the only one. Other site owners reported similar issues with their sites on the plugin's support forum on WordPress.org [1, 2, 3], and on other web-dev discussion forums, such as StackOverflow.

Researcher dropped zero-day exploit online without warning

Today's massive hacking campaign could have been avoided if only the web developer who found the Yuzo Realted Posts plugin vulnerability would have reported the issue to its author instead of publishing proof-of-concept code online.

As a result of making this proof-of-concept code available for everyone, the plugin was removed from the official WordPress Plugins repository on the same day, preventing future downloads until a patch was to be made available.

However, this didn't remove the plugin from all the sites around the world, which all remained vulnerable. At the time of its removal, the plugin had been already installed on more than 60,000 sites, according to official WordPress.org stats.

Things got so desperate today in the early hours of the attacks that the plugin's author called on users to "remove this plugin immediately" from their sites until an update would be available.

See also

There's a group going after WordPress sites

According to Defiant, the company behind the WordPress firewall plugin, the hacking group behind today's attacks is the same group which exploited two zero-days in two other plugins in previous weeks --namely in the Easy WP SMTP and Social Warfare plugins.

"Exploits so far have used a malicious script hosted on hellofromhony[.]org, which resolves to 176.123.9[.]53," said Dan Moen, Defiant researcher. "That same IP address was used in the Social Warfare and Easy WP SMTP campaigns."

The same connection between today's campaign and the previous one targeting the two other plugins was also made by security researchers at Sucuri.

Mailgun did not reply to a request for comment before this article's publication; however, the company removed the plugin and was back up and running within two hours of detecting the problem on its site.

"Our applications including the Mailgun Dashboard, APIs, and customer data stored on our platform were not impacted by this issue," the company said in its status report page.

Thank You

By registering you become a member of the CBS Interactive family of sites and you have read and agree to the Terms of Use, Privacy Policy and Video Services Policy. You agree to receive updates, alerts and promotions from CBS and that CBS may share information about you with our marketing partners so that they may contact you by email or otherwise about their products or services.
You will also receive a complimentary subscription to the ZDNet's Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe from these newsletters at any time.